"The majority of functions are performed by other offices. IRM/IA is not doing
enough and is potentially leaving department systems vulnerable. IRM/IA has
conceded that other department elements have a greater role in information
security, diminishing the relevance of IRM/IA," the report said.

The office, established in 2004, is responsible for State's cybersecurity program
and information assurance policies.

The report made 32 recommendations, including performing an organization
assessment as well as developing a mission statement that includes both short and
long term goals. The report stated the office
did not have a mission statement or formal goals during the investigation.

Though the arrival of a new chief information security officer, William Lay, has
improved the office atmosphere, the IRM/IA office does not have the workload to
justify its organizational structure, auditors found.

"In light of the lack of active involvement in many of its stated
responsibilities, the proposed IRM/IA office realignment for an additional deputy
position and one more division, as well as the need for some of the current
divisions, are not justified by the current level of work being performed. The
possibility of duplicative functions occurring between IRM/IA and other department
elements is likely," the report stated.

The office has inconsistencies in both policies and practices, according to the
report, causing some of the certification and assurance (C&A) processes it manages
to be ineffective. Many of the systems' operation authorizations have expired.

Even though IRM/IA is the lead office for C&A, it is only responsible for 56
percent of the department's programs. In many cases, the report said, some of
these programs are operating under authorizations that have been expired for two
years or more.

"When questioned, IRM/IA management stated that the responsibility for completing
system authorizations is with system owners. System owners have a responsibility
to complete the necessary documentation and assessments, but ultimately it is the
CISO's responsibility to verify that systems authorizations have been performed on
all Department systems in accordance with Title III of the E-Government Act of
2002," the report stated.

Additionally, the office showed poor performance in contract management, the
report stated. The former Policy, Liaison and Reporting division chief, who
recently departed, left large gaps in documentation for the staff member who
assumed his position, causing deficiencies in the office's contracting program,
according to the report.

The report also said existing contract documentation showed incomplete files, such
as one contract with a ceiling of $2 million that showed major inconsistencies. In
addition, the report said the office made payments without sufficient oversight
and that no personnel were regularly reviewing payments. The report said this
caused overpayments to some contractors.

The office said in a statement it will respond to the IG's recommendations.

"The U.S. Department of State takes the OIG feedback seriously and will respond
appropriately. Mr. William G. Lay was appointed to the position of Deputy Chief
Information Officer for Information Assurance and Chief Information Security
Officer for the U.S. Department of State in late 2012," the statement said.
IRM/IA staff includes 22 full-time employees and 36 contract employees, and
funding is $5.9 million per year, the report stated.